From a11a1fd20ea911044bd68eb952b56abce21d6693 Mon Sep 17 00:00:00 2001 From: Igor Unanua Date: Tue, 8 Oct 2024 09:34:30 +0200 Subject: [PATCH] Upgrade iast rewriter to 2.5.0 (#4761) * Upgrade iast rewriter version to 2.5.0 * Implement tplOperator tracking method --- package.json | 2 +- .../src/appsec/iast/taint-tracking/csi-methods.js | 1 + .../iast/taint-tracking/taint-tracking-impl.js | 15 +++++++++++++++ .../resources/propagationFunctions.js | 8 ++++++++ .../taint-tracking/taint-tracking-impl.spec.js | 4 +++- yarn.lock | 8 ++++---- 6 files changed, 32 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 821ed481d9a..a785ea6314e 100644 --- a/package.json +++ b/package.json @@ -77,7 +77,7 @@ }, "dependencies": { "@datadog/native-appsec": "8.1.1", - "@datadog/native-iast-rewriter": "2.4.1", + "@datadog/native-iast-rewriter": "2.5.0", "@datadog/native-iast-taint-tracking": "3.1.0", "@datadog/native-metrics": "^2.0.0", "@datadog/pprof": "5.3.0", diff --git a/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js b/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js index 62f49f2e830..2133971afb9 100644 --- a/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js +++ b/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js @@ -12,6 +12,7 @@ const csiMethods = [ { src: 'substring' }, { src: 'toLowerCase', dst: 'stringCase' }, { src: 'toUpperCase', dst: 'stringCase' }, + { src: 'tplOperator', operator: true }, { src: 'trim' }, { src: 'trimEnd' }, { src: 'trimStart', dst: 'trim' }, diff --git a/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js b/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js index 9f48a3add3f..5fa16d00d77 100644 --- a/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js +++ b/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js @@ -29,6 +29,7 @@ const TaintTrackingNoop = { substr: noop, substring: noop, stringCase: noop, + tplOperator: noop, trim: noop, trimEnd: noop } @@ -117,6 +118,20 @@ function csiMethodsOverrides (getContext) { return res }, + tplOperator: function (res, ...rest) { + try { + const iastContext = getContext() + const transactionId = getTransactionId(iastContext) + if (transactionId) { + return TaintedUtils.concat(transactionId, res, ...rest) + } + } catch (e) { + iastLog.error('Error invoking CSI tplOperator') + .errorAndPublish(e) + } + return res + }, + stringCase: getCsiFn( (transactionId, res, target) => TaintedUtils.stringCase(transactionId, res, target), getContext, diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/resources/propagationFunctions.js b/packages/dd-trace/test/appsec/iast/taint-tracking/resources/propagationFunctions.js index 4028f265b3e..de37c351789 100644 --- a/packages/dd-trace/test/appsec/iast/taint-tracking/resources/propagationFunctions.js +++ b/packages/dd-trace/test/appsec/iast/taint-tracking/resources/propagationFunctions.js @@ -12,6 +12,13 @@ function templateLiteralEndingWithNumberParams (str) { return `${str}Literal${num1}${num2}` } +function templateLiteralWithTaintedAtTheEnd (str) { + const num1 = 1 + const num2 = 2 + const hello = 'world' + return `Literal${num1}${num2}-${hello}-${str}` +} + function appendStr (str) { let pre = 'pre_' pre += str @@ -108,6 +115,7 @@ module.exports = { substrStr, substringStr, templateLiteralEndingWithNumberParams, + templateLiteralWithTaintedAtTheEnd, toLowerCaseStr, toUpperCaseStr, trimEndStr, diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/taint-tracking-impl.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/taint-tracking-impl.spec.js index e0eb9fc580a..d356753d607 100644 --- a/packages/dd-trace/test/appsec/iast/taint-tracking/taint-tracking-impl.spec.js +++ b/packages/dd-trace/test/appsec/iast/taint-tracking/taint-tracking-impl.spec.js @@ -26,6 +26,7 @@ const propagationFns = [ 'substrStr', 'substringStr', 'templateLiteralEndingWithNumberParams', + 'templateLiteralWithTaintedAtTheEnd', 'toLowerCaseStr', 'toUpperCaseStr', 'trimEndStr', @@ -137,7 +138,8 @@ describe('TaintTracking', () => { 'concatSuffix', 'concatTaintedStr', 'insertStr', - 'templateLiteralEndingWithNumberParams' + 'templateLiteralEndingWithNumberParams', + 'templateLiteralWithTaintedAtTheEnd' ] propagationFns.forEach((propFn) => { if (filtered.includes(propFn)) return diff --git a/yarn.lock b/yarn.lock index cf7cba3f3f4..62d059200d9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -263,10 +263,10 @@ dependencies: node-gyp-build "^3.9.0" -"@datadog/native-iast-rewriter@2.4.1": - version "2.4.1" - resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-2.4.1.tgz#e8211f78c818906513fb96a549374da0382c7623" - integrity sha512-j3auTmyyn63e2y+SL28CGNy/l+jXQyh+pxqoGTacWaY5FW/dvo5nGQepAismgJ3qJ8VhQfVWRdxBSiT7wu9clw== +"@datadog/native-iast-rewriter@2.5.0": + version "2.5.0" + resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-2.5.0.tgz#b613defe86e78168f750d1f1662d4ffb3cf002e6" + integrity sha512-WRu34A3Wwp6oafX8KWNAbedtDaaJO+nzfYQht7pcJKjyC2ggfPeF7SoP+eDo9wTn4/nQwEOscSR4hkJqTRlpXQ== dependencies: lru-cache "^7.14.0" node-gyp-build "^4.5.0"